New intrusion-detection systems that go beyond monitoring attacks to actually blocking them have network executives intrigued, but some worry that the devices could quash legitimate traffic, cause network latency and present a single point of failure.
Unlike traditional IDS products that stay out of the way of network traffic, passively monitoring the traffic going by and leaving the blocking of attacks to routers or firewalls, these new "intrusion-prevention" systems inspect traffic directly as it makes its way from outside a corporate LAN to end users' desktops.
The latest vendors to air plans for such intrusion-prevention appliances are Top Layer Networks and Sourcefire. Top Layer, which already makes a variety of network security devices, next week plans to announce appliances focused on HTTP Port 80 attacks, computer worms and other signature attacks it says companies will not hesitate to block. Separately, Sourcefire Founder and CTO Martin Roesch - who has commercialized the Snort intrusion-detection freeware he developed - divulged that the company is readying an intrusion-prevention device for early next year. These companies follow others such as Internet Security Systems (ISS), IntruVert, NetScreen Technologies and TippingPoint Technologies into the market.
For organizations seeing no slowdown in attacks, it may be hard to pass up new offerings despite reservations being expressed.
"Passive monitoring just wasn't accomplishing anything," says Stephen Olsen, IT director at The Las Vegas Review Journal, which has used the NetScreen IDP-100 to guard its multimegabit Internet access connection. But the Review is using the product to block only a modest portion of known attacks because of concern about dropping legitimate traffic for the Web sites the publication manages.
With the FBI's help, the Review is chasing down and prosecuting a hacker who had attacked the publication via the Internet. The IDP-100-generated report helped provide evidence about the hacker's activity, although the strongest evidence probably came from packets originating from the hacker's IP address that weren't blocked as opposed to those that were, Olsen says.
Such issues will come to the forefront as more companies try intrusion prevention.
"If you have critical traffic flowing through critical ports, you have to be concerned about the potential of false positives," says Lloyd Hession, chief security officer at Radianz in New York, which uses the ISS Guard blocking appliance in a fail-safe mode on certain segments of the global IP network it runs for 5,000 financial firms. "With in-line intrusion detection, the real danger is that you've added an extra hop, increasing latency and introducing a single point of failure."
Hession says that while the Guard product has proven its worth by shutting out the Nimda worm, among others, he's not ready to make intrusion prevention ubiquitous on the Radianz network, given the sensitive nature of the data flowing across it.
"There are latency issues with these devices," he says. "You add a significant delay when you bring one of these into your network."
Rss FeedRss Feed
The Leader in Network Knowledge
Comment